Root certificate
|
In cryptography and computer security, a root certificate is an unsigned public key certificate, or a self-signed certificate, and is part of a PKI scheme. The most common commercial variety is based on the ISO X.509 standard. Normally an X.509 certificate includes a digital signature from a certificate authority (CA) which vouches for correctness of the data contained in a certificate.
The authenticity of the CA's signature, and whether the CA can be trusted, can be determined by examining its certificate in turn. This chain must however end somewhere, and it does so at the root certificate, so called as it is at the root of a tree. (A CA can issue multiple certificates, which can be used to issue multiple certificates in turn, thus creating a tree).
Root certificates are implicitly trusted. They are included with many software applications. The best known is Web browsers; they are used for SSL / TLS secure connections. However this implies that you trust your browser's publisher to include correct root certificates, and in turn the certificate authorities it trusts, and any one the CA may have issued a certificate-issuing-certificate to, to faithfully authenticate the users of all their certificates. This (transitive) trust in a root certificate is merely assumed in the usual case, there being no way in practice to better ground it, but is integral to the X.509 certificate chain model.